Nadia Eghbal's Roads and Bridges: The Unseen Labor Behind Our Digital Infrastructure is a long, detailed report on the structural impediments to maintaining key pieces of free/open software that underpin the internet -- it reveals the startling fragility of tools that protect the integrity, safety, privacy and finances of billions of people, which are often maintained by tiny numbers of people (sometimes just one person).

The paper is excellent, but suffers from some organizational deficits, the first being a lack of a good executive summary for people who aren't sure if they want to read 142 pages; the second being that the main event really starts on page 58, in the "Challenges Facing Digital Infrastructure" (the preceding is history and background), which moves on to strategies for fixing things.

Anaplan - the cloud-based vendor of business modelling and planning software - wants to eliminate Excel spreadsheet-based business processes within the enterprise.

Speaking at its Hub 16 event in London this week, chief marketing officer Grant Halloran said that Excel is often overlooked as part of an organisation's IT application environment, despite its widespread use.

"What we don’t see is the smattering of Excel spreadsheets across this landscape on IT diagrams. It is spread through the business like a virus," he said.

Today, November 11, 2016, Canonical published several security advisories to inform users of the Ubuntu Linux operating system about new kernel updates that patch multiple vulnerabilities discovered lately.

Despite growing security threats, the Internet of Things hype shows no sign of abating. Feeling the FoMo, companies are busily rearranging their roadmaps for IoT. The transition to IoT runs even deeper and broader than the mobile revolution. Everything gets swallowed in the IoT maw, including smartphones, which are often our windows on the IoT world, and sometimes our hubs or sensor endpoints.

New IoT focused processors and embedded boards continue to reshape the tech landscape. Since our Linux and Open Source Hardware for IoT story in September, we’ve seen Intel Atom E3900 “Apollo Lake” SoCs aimed at IoT gateways, as well as new Samsung Artik modules, including a Linux-driven, 64-bit Artik7 COM for gateways and an RTOS-ready, Cortex-M4 Artik0. ARM announced Cortex-M23 and Cortex-M33 cores for IoT endpoints featuring ARMv8-M and TrustZone security.

Microsoft has patched 68 vulnerabilities in Windows, Office, Edge, Internet Explorer and SQL Server, two of which have already been exploited by attackers and three that have been publicly disclosed.

The patches are covered in 14 security bulletins, one dedicated to Adobe Flash Player which is upgraded through Windows Update in Windows 10 and 8.1. Six of the bulletins are rated critical and eight are rated important.

The IoTSeeker tool from Rapid7 is designed to comb through users’ networks and identify common IoT devices with default usernames and passwords enabled. Those are the devices upon which botnets such as Mirai feed, especially those with telnet exposed on default ports. Mirai searches for devices with telnet enabled and using default credentials and then compromises them and begins scanning again.

Recently DDoS has come into the news because of recent attack (by IoT devices) on Twitter. Although DDoS is not a new kind of attack, because of the advent of IoT, the "smart" devices are new victims for web-based attacks, and as per the predictions it is more likely to grow. What makes this situation even more perilous is the rapid growth of IoT devices out there on the market. As per the estimate, there would be around 50 billion connected devices by the year 2020.

The DDoS attacks cannot be mitigated completely but by taking some measures the effect can be minimized. This is the theme of this article. Let’s first understand...

The US election cycle has been quite heavily dominated by cyber security issues. A number of cyber security experts have even stepped forward to offer their solutions to how to keep safe. Everyone has problems with their proposals, that fundamentally they all stem from not understanding the actual threat.

Achieving security is possible using counterintelligence principles, but it requires knowing what you want to protect, who you want to protect it from, and then implementing that plan. I expect this post to be deeply unpopular with everyone, but I’ll explain my position anyway.

A Distributed Denial of Service (DDoS) attack halted heating distribution at least in two properties in the city of Lappeenranta, located in eastern finland. In both of the events the attacks disabled the computers that were controlling heating in the buildings.

Both of the buildings where managed by Valtia. The company who is in charge of managing the buildings overall operation and maintenance. According to Valtia CEO, Simo Rounela, in both cases the systems that controlled the central heating and warm water circulation were temporarily disabled.

In the city of Lappeenranta, there were at least two buildings whose systems were knocked down by the network attack. In a DDoS attack the network is overloaded by traffic from multiple locations with the aim of causing the system to fail.

The Finnish communications regulator Ficora said it suspects criminal entities of coordinating a web attack that disrupted home automation systems in the southeastern city of Lappeenranta. However the agency said that the real target of the attack may not have been in Finland.

"According to our information, the systems in question are not the intended targets in this case, but they were compromised in a cyber attack that focused on European entities. In other words, it seems that there was some criminal group behind it," said Jarkko Saarimäki, head of Ficora’s cyber security centre.

Officials said that the event bore the hallmark of a denial of service (DoS) strike, which floods a service which so much web traffic that it is unable to provide services normally.

Security researchers in Canada and Israel have discovered a way to take over the Internet of Things (IoT) from the sky.

Okay, that’s a little dramatic, but the researchers were able to take control of some Philips Hue lights using a drone. Based on an exploit for the ZigBee Light Link Touchlink system, white hat hackers were able to remotely control the Hue lights via drone and cause them to blink S-O-S in Morse code.

Continuous integration (CI) support in github is a very useful addition. Not only can you utilize existing services like Travis CI, you can utilize the github API and roll your own, which is exactly what we did for libStorageMgmt. LibStorageMgmt needs to run tests for hardware specific plugins, so we created our own tooling to hook up github and our hardware which is geographically located across the US. However, shortly after getting all this in place and working it became pretty obvious that we provided a nice attack vector…

Hackers are recruiting the internet of things into a botnet. But this time they’re not trying to take down the internet. They’re just using them to make fake social media accounts – which they can then sell to online narcissists to make an easy buck.

Masarah-Cynthia Paquet-Clouston, a criminologist with the University of Montreal, and Olivier Bilodeau, a cybersecurity researcher at Montreal-based company GoSecure, have uncovered a large botnet that recruits everyday devices such as connected toasters, fridges or even your grandmother’s router to help commit social media fraud. They think that this stealthy, lucrative scheme is a glimpse into the future of low-level cybercrime.

We've been talking about the ridiculousness of e-voting machines for well over a decade. If a machine doesn't include a paper trail for backup, it's suspect. That's been the case since e-voting machines have been on the market, and many of us have been pointing this out all along. And the big e-voting companies have a long history of not really caring, even as their machines are shown to be vulnerable in a variety of ways. So it come as little to no surprise to find out that security firm Cylance has announced that it's found yet another set of e-voting vulnerabilities in the Sequoia AVC Edge Mk1 voting machine. Sequoia especially has a long history of buggy, faulty machines.

Users of the Debian-based Parsix GNU/Linux 8.15 "Nev" and Parsix GNU/Linux 8.10 "Erik" distributions are in for a treat this weekend, as a new kernel update and latest Debian Stable security updates landed in the software repositories.

MySQL, MariaDB, and PerconaDB administrators need to check their database versions, as attackers can chain two critical vulnerabilities and completely take over the server hosting the database.

The two critical vulnerabilities, which can lead to arbitrary code execution, root privilege escalation, and server compromise, affect MySQL and forks like Percona Server, Percona XtraDB Cluster, and MariaDB, according to security researcher Dawid Golunski, who provided details of the vulnerability on LegalHackers. Administrators should install the latest updates as soon as possible, or in cases where the patches cannot be applied, they should disable symbolic link support within the database server configuration by setting symbolic-links=0 in my.cnf.

While programming, it’s easy to get tunnel-vision or to accept some “tiny” risk that things could go wrong at some point but write the code that way anyway. That’s what happened with MySQL and MariaDB. Creating a database should not create a vulnerability but it does, because a repair operation allows changing permissions of a file with a particular name which a bad guy could substitute with malicious code…

Linux, FreeBSD, and Unix-like systems are multi-user and need some way of authenticating individual users. Back in the old days, this was done in different ways. You need to change each Unix application to use different authentication scheme. Also, authentication schemes differed between a variant of Unix systems. Porting was a nightmare. For example to use Windows Server (Active Directory) or LDAP for authentication you need to make changes to an application. Each application had its way of authenticating users. So Open Group lead to the development of PAM for the Unix-like system. Today Linux, FreeBSD, MacOS X and many other Unix-like systems are configured to use a centralized authentication mechanism called Pluggable Authentication Modules (PAM). The book “PAM Mastery” deals with the black magic of PAM.

A few moments ago, renowned Linux kernel maintainer Greg Kroah-Hartman had the pleasure of announcing the general availability of the Linux kernel 4.8.13 and Linux kernel 4.4.37 LTS maintenance updates.
While many rolling GNU/Linux distributions have just received the Linux 4.8.12 kernel, it looks like Linux kernel 4.8.13 is now available with more improvements and bug fixes, but it's not a major milestone. According to the appended shortlog and the diff since last week's Linux 4.8.12 kernel release, a total of 46 files were changed, with 214 insertions and 95 deletions.

openSUSE's Douglas DeMaio reports on the latest Open Source and GNU/Linux technologies that landed in the repositories of the openSUSE Tumbleweed rolling operating system.

What Is A VPN Connection? Why To Use VPN?

We all have heard about VPN sometime. Most of us normal users of internet use it. To bypass the region based restrictions of services like Netflix or Youtube ( Yes, youtube has geo- restrictions too). In fact, VPN is actually mostly used for this purpose only. ​

The Libreboot C201 from Minifree is really really really ridiculously open source

Open source laptops – ones not running any commercial software whatsoever – have been the holy grail for free software fans for years. Now, with the introduction of libreboot, a truly open source boot firmware, the dream is close to fruition.
The $730 laptop is a bog standard piece of hardware but it contains only open source software. The OS, Debian, is completely open source and to avoid closed software the company has added an Atheros Wi-Fi dongle with open source drivers rather than use the built-in Wi-Fi chip.